An End To Exploit-Based Development On The iPhone?
Apple CEO Steve Jobs explains the SDK shipping in February will help third-party partners and protect iPhone users from malicious programs.
With the upcoming introduction of an Apple-sanctioned iPhone software development kit in February, mobile application developers will no longer have to exploit a vulnerability to write iPhone applications.
Until then, determined developers may continue looking to the work of security research H.D. Moore, who has written a recent series of blog posts about cracking the iPhone.
Moore, director of security at BreakingPoint Systems and creator of the Metasploit vulnerability testing tool, has published details about the exploit that third-party developers have been using to put applications on the iPhone against Apple's wishes.
"Using a security vulnerability to enable third-party development is nothing new, but in the case of iPhone, this can be a problem," Moore said in a blog post last week.
The problem is that the flaw isn't merely useful for iPhone developers who just can't wait for Apple to open the iPhone up; it's potentially useful for hackers.
In a statement Wednesday on the Apple Web site, Apple CEO Steve Jobs made it clear that Apple is concerned about iPhone vulnerabilities.
"Some claim that viruses and malware are not a problem on mobile phones -- this is simply not true," said Jobs. "There have been serious viruses on other mobile phones already, including some that silently spread from phone to phone over the cell network. As our phones become more powerful, these malicious programs will become more dangerous. And since the iPhone is the most advanced phone ever, it will be a highly visible target."
The exploit described by Moore takes advantage of a programming flaw in libtiff, the open-source TIFF image-rendering library. It has been tested on several iPhone applications that incorporate libtiff: MobileMail, MobileSafari, and the iTunes Music Store, under firmware versions 1.02 and 1.1.1.
As Secunia explained in a recent security advisory, "The vulnerability is caused due to an error in the processing of TIFF images and can potentially be exploited to execute arbitrary code when a specially crafted TIFF image is viewed, e.g. in the Safari Web browser."
People who use their iPhones to read e-mail or surf the Web could thus be targeted by hackers.
The vulnerability also affects Apple's iPod Touch.
Secunia rates the vulnerability as "highly critical," or 4 on a 5-point scale.
"We are working on an advanced system which will offer developers broad access to natively program the iPhone's amazing software platform while at the same time protecting users from malicious programs," said Jobs. "We think a few months of patience now will be rewarded by many years of great third party applications running on safe and reliable iPhones."
The Agile ArchiveWhen it comes to managing data, donít look at backup and archiving systems as burdens and cost centers. A well-designed archive can enhance data protection and restores, ease search and e-discovery efforts, and save money by intelligently moving data from expensive primary storage systems.
2014 Analytics, BI, and Information Management SurveyITís tried for years to simplify data analytics and business intelligence efforts. Have visual analysis tools and Hadoop and NoSQL databases helped? Respondents to our 2014 InformationWeek Analytics, Business Intelligence, and Information Management Survey have a mixed outlook.
Top IT Trends to Watch in Financial ServicesIT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Join us for a roundup of the top stories on InformationWeek.com for the week of September 18, 2016. We'll be talking with the InformationWeek.com editors and correspondents who brought you the top stories of the week to get the "story behind the story."